ring3 hook ZwWriteVirtualMemory
typedef LONG NTSTATUS;
typedef NTSTATUS (NTAPI
*PNtZwWriteVirtualMemory) ( IN HANDLE hProcess, IN PVOID BaseAddress, IN
PVOID Buffer, IN ULONG BytesToWrite, OUT PULONG BytesWritten );
PNtZwWriteVirtualMemory ZwWriteVirtualMemory;
BYTE m_OldZwWVMBytes[5];
BYTE m_HookJmpByte[5];
NTSTATUS WINAPI Mine_ZwWriteVirtualMemory( IN HANDLE hProcess, IN
PVOID BaseAddress, IN PVOID Buffer, IN ULONG BytesToWrite, OUT PULONG
BytesWritten )
{
memcpy(ZwWriteVirtualMemory,m_OldZwWVMBytes,sizeof(m_OldZwWVMBytes));
BOOL ret=ZwWriteVirtualMemory(hProcess,BaseAddress,Buffer,BytesToWrite,BytesWritten);
char buf[1024];wsprintf(buf,"ZWWPM : %X %X %X %d
%d",hProcess,BaseAddress,Buffer,BytesToWrite,ret);OutputDebugString(buf);
memcpy(ZwWriteVirtualMemory,m_HookJmpByte,sizeof(m_HookJmpByte));
return ret;
}
VOID _START()
{
ZwWriteVirtualMemory = (PNtZwWriteVirtualMemory)GetProcAddress(::GetModuleHandle("ntdll.dll"),"ZwWriteVirtualMemory" );
CString strMsg;
strMsg.Format("ZwWriteVirtualMemory: %X",ZwWriteVirtualMemory);OutputDebugString(strMsg);
ReadProcessMemory(GetCurrentProcess(),(LPVOID)ZwWriteVirtualMemory,m_OldZwWVMBytes,5,NULL);
strMsg.Format("m_OldRecvBytes: %x %x %x %x %x", m_OldZwWVMBytes[0],
m_OldZwWVMBytes[1], m_OldZwWVMBytes[2], m_OldZwWVMBytes[3],
m_OldZwWVMBytes[4]);OutputDebugString(strMsg);
m_HookJmpByte[0]=0xE9;
DWORD data=(DWORD)Mine_ZwWriteVirtualMemory-(DWORD)ZwWriteVirtualMemory-5;
memcpy(m_HookJmpByte+1,(VOID*)&data,4);
strMsg.Format("JmpByte: %x %x %x %x %x", m_HookJmpByte[0],
m_HookJmpByte[1], m_HookJmpByte[2], m_HookJmpByte[3],
m_HookJmpByte[4]);OutputDebugString(strMsg);
DWORD dwScratch;
VirtualProtectEx(GetCurrentProcess(),(LPVOID)ZwWriteVirtualMemory, 10, PAGE_EXECUTE_READWRITE, &dwScratch);
memcpy(ZwWriteVirtualMemory,m_HookJmpByte,sizeof(m_HookJmpByte));
}
BOOL CInjectDllApp::InitInstance()
{
OutputDebugString("InitInstance");
::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)_START, NULL, 0, NULL);
return CWinApp::InitInstance();
}
